﻿/* Copyright(C) 2006-2008 Dave Sexton  *
 * http://www.codeplex.com/aip         *
 * http://www.codeplex.com/aip/license *
 ***************************************/
using System;
using System.Collections.Generic;
using System.Text;

namespace DaveSexton.Web.Controls
{
	/// <summary>
	/// Specifies how <see cref="AutoInputProtection"/> will identify users.
	/// </summary>
	/// <remarks>
	///	<include file='comments.xml' path='//para[@id="UserMode_Benefits"]'/>
	/// </remarks>
	/// <seealso cref="Configuration.AutoInputProtectionSection.UserMode"/>
	/// <seealso cref="AutoInputProtection.UserMode"/>
	public enum AutoInputProtectionUserMode
	{
		/// <summary>
		/// Users are not identified.
		/// </summary>
		/// <remarks>
		/// <para>
		/// This option will cause <see cref="AutoInputProtection"/> to allow an individual user to request and 
		/// validate multiple tests simultaneously.
		/// </para>
		/// <para>Although this option is not recommended it may be required in scenarios where web users typically
		/// navigate to and from various <em>protected</em> web pages, simultaneously, perhaps to gather information 
		/// or to submit data in various forms.</para>
		/// <para>A better approach would be to validate the user once by providing a login service and then allow 
		/// the user to access protected resources while they are logged in without subsequent verification.</para>
		/// </remarks>
		None,
		/// <summary>
		/// Users are identified by their host address or host name, if either is available.  This is the default option.
		/// </summary>
		/// <remarks>
		/// This data can be spoofed easily since it's taken from HTTP headers that the user agent specifies.  
		/// However, if a malicious user agent were to specify someone else's host address, it still wouldn't be 
		/// able to pass an older test since a particular test can only be used once.
		/// </remarks>
		Client,
		/// <summary>
		/// Users are identified by their current ASP.NET session ID if sessions are enabled; otherwise, the <see cref="Client"/> option is used.
		/// </summary>
		/// <remarks>
		/// <para>This option automatically works with cookieless sessions as well as a session cookie.</para>
		/// <para>Identifying a user's session ID from a cookie or URL (cookieless) makes AIP partially vulnerable to a cross-site 
		/// request forgery attack (CSRF); however, since a user can only have one unverified test on the server at a time, the most that a CSRF 
		/// attack could possibly accomplish would be to bypass a single test that was previously requested, yet sill unused.</para>
		/// <include file='comments.xml' path='//para[@id="ASPNET_New_SessionID"]'/>
		/// </remarks>
		SessionOrClient
	}
}
